Gixy is an open-source static analyzer specifically designed for NGINX configuration files. It detects security misconfigurations, potential vulnerabilities, and common mistakes before they reach production.

What security issues does Gixy detect?

Gixy detects over 30 security issues including SSRF (Server Side Request Forgery), HTTP Response Splitting, Host Header Spoofing, Referrer/Origin validation bypasses, weak SSL/TLS configurations, add_header overwrites, and many more.

How do I install Gixy?

Install Gixy using pip: pip install gixy-ng. It works on Linux, macOS, and Windows with Python 3.6+.

Can I use Gixy in CI/CD pipelines?

Yes! Gixy is designed for CI/CD integration. It provides JSON output, configurable exit codes, and works seamlessly with GitHub Actions, GitLab CI, Jenkins, and other automation tools.

Yes, Gixy is completely free and open-source under the MIT license. You can use it for personal and commercial projects without any restrictions.

Open Source NGINX Security

Stop NGINX misconfigurations before they become breaches

Gixy is a static analyzer that detects security vulnerabilities in your NGINX configuration. Find SSRF, HTTP splitting, host spoofing, and 30+ other issues before hackers do.

Install Now Read Documentation

1,200+

GitHub Stars

30+

Security Checks

6+ yrs

Actively Maintained

gixy — nginx.conf

$ gixy /etc/nginx/nginx.conf

==================== Results ====================

⚠ [ssrf] Server Side Request Forgery Unsafe variable in proxy_pass: $host File: /etc/nginx/conf.d/proxy.conf Line: 12

✗ [http_splitting] HTTP Response Splitting add_header with unvalidated input File: /etc/nginx/nginx.conf Line: 45

==================== Summary ==================== Total issues found: 2 Config validated: /etc/nginx/nginx.conf

Features

Built for security-conscious teams

Gixy understands NGINX deeply. It parses your configuration, follows includes, and analyzes the complete picture to find real vulnerabilities.

Deep Static Analysis

Goes beyond pattern matching. Gixy builds an abstract syntax tree of your config and traces variable usage across directives.

CI/CD Ready

JSON output, configurable exit codes, and zero dependencies on NGINX itself. Perfect for GitHub Actions, GitLab CI, or any pipeline.

Include Resolution

Automatically follows include directives and globs. Analyzes your complete configuration as NGINX sees it.

Extensible Plugins

Add custom checks for your organization's security policies. The plugin API makes it easy to enforce internal standards.

IDE Integration

VS Code extension provides real-time feedback as you edit. See security issues before you even save the file.

Battle-Tested

Originally developed at Yandex, now maintained with 1,200+ GitHub stars. Trusted by security teams worldwide.

Security Checks

What Gixy detects

Over 30 security checks covering the most dangerous NGINX misconfigurations.

SSRF (Server Side Request Forgery)

Unsafe variables in proxy_pass

HTTP Response Splitting

Newlines in headers via user input

Host Header Spoofing

$host in sensitive contexts

Weak SSL/TLS

Insecure protocols and ciphers

add_header Overwrite

Security headers lost in nested blocks

Referrer/Origin Bypass

Weak validation patterns

Alias Path Traversal

Directory escape vulnerabilities

Version Disclosure

Server tokens leaking info

Missing HSTS

No Strict-Transport-Security

View All 30+ Checks →

Get Started in Seconds

Install Gixy with pip and start scanning your NGINX configs immediately.

pip install gixy-ng

View on GitHub View on PyPI Full Documentation